FIPS 140‐2 Security Policy for: Toshiba Secure TCG Opal SSC and Wipe technology Self-Encrypting Drive Series MQ01ABU050BW, MQ01ABU032BW, and MQ01ABU025BW TOSHIBA CORPORATION Rev 1.1 Jan 17, 2014 1 OVERVIEW ................................................................................................................................................ 3 ACRONYMS ............................................................................................................................................... 3 SECTION 1 – MODULE SPECIFICATION............................................................................................... 4 SECTION 1.1 – PRODUCT VERSION ...................................................................................................... 4 SECTION 1.2 – LOGICAL TO PHYSICAL PORT MAPPING ................................................................... 4 SECTION 2 – ROLES SERVICES AND AUTHENTICATION .................................................................. 4 SECTION 2.1 – SERVICES ....................................................................................................................... 5 SECTION 3 – PHYSICAL SECURITY ...................................................................................................... 7 SECTION 4 – OPERATIONAL ENVIRONMENT ..................................................................................... 9 SECTION 5 – KEY MANAGEMENT ......................................................................................................... 9 SECTION 6 – SELF TESTS ..................................................................................................................... 10 SECTION 7 – DESIGN ASSURANCE ..................................................................................................... 10 SECTION 8 – MITIGATION OF OTHER ATTACKS............................................................................... 10 Jan 17, 2014 2 Overview The Toshiba Secure TCG Opal SSC and Wipe Technology Self-Encrypting Drive Series (MQ01ABU050BW, MQ01ABU032BW, and MQ01ABU025BW) is used for hard disk drive data security. This Cryptographic Module (CM) provides various cryptographic services using FIPS approved algorithms. Services include hardware-based data encryption, cryptographic erase, independently protected user data LBA ranges, host device authentication and secure automatic data invalidation. The last two services are provided by the Toshiba Wipe Technology. This CM is multiple-chip embedded, and the physical boundary of the CM is the entire HDD. The physical interface for power-supply and for communication is one SATA connector. The CM is connected with host system by this SATA connector. The logical interface is the SATA, TCG SWG, Opal SSC, IEEE1667 (Probe Silo and TCG Storage Silo), and Toshiba Wipe Technology protocol. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the “system area”, which is not logically accessible / addressable by the host application. Section Level 1. Cryptographic Module Specification 2 2. Cryptographic Module Ports and Interfaces 2 3. Roles, Services, and Authentication 2 4. Finite State Model 2 5. Physical Security 2 6. Operational Environment N/A 7. Cryptographic Key Management 2 8. EMI/EMC 2 9. Self‐Tests 2 10. Design Assurance 2 11. Mitigation of Other Attacks N/A Overall Level 2 Table 1 ‐ Security Level Detail This document is non-proprietary and may be reproduced in its original entirety. Acronyms AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EDC Error Detection Code FW Firmware HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address MSID Manufactured SID NRBG Non-deterministic random bit generator Jan 17, 2014 3 PCB Printed Circuit Board POST Power on Self-Test PSID Printed SID SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID Section 1 – Module Specification The CM has one FIPS 140 approved mode of operation. The CM provides services defined in Section 2.1 and other non-security related services. After initial setup steps, this CM is always in approved mode of operation. Section 1.1 – Product Version The Toshiba Secure TCG Opal SSC and Wipe technology SED has been validated: 1. MQ01ABU050BW(2.5-inch, SATA Interface, 500GB), HW version: AA, FW version: FN001S 2. MQ01ABU032BW(2.5-inch, SATA Interface, 320GB), HW version: AA, FW version: FN001S 3. MQ01ABU025BW(2.5-inch, SATA Interface, 250GB), HW version: AA, FW version: FN001S Section 1.2 – Logical to Physical Port Mapping FIPS140-2 Interface Module Ports Data Input SATA Connector Data Output SATA Connector Control Input SATA Connector Status Output SATA Connector Power Input SATA Connector Section 2 – Roles Services and Authentication This section describes roles, authentication method, and strength of authentication. Role Type of Authentication Authentication Multi Attempt strength Authentication Strength Crypto Officer LockingSP.Admin1 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 A (CoLAx) LockingSP.Admin2 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 LockingSP.Admin3 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 LockingSP.Admin4 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 Crypto Officer AdminSP.Admin1 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 B(CoAA) Crypto Officer Wipe Admin Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 C(CoWA) Crypto Officer Wipe Maker Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 D(CoWM) Crypto Officer LockingSP.User1 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 E(CoLSUx) (*) … … … … … LockingSP.User9 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 Jan 17, 2014 4 User A LockingSP.User1 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 (ULUx) LockingSP.User2 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 … … … … … LockingSP.User9 Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 User B(UM) Master Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 User C(UU) User Role PIN 1/248 < 1/1,000,000 60,000 / 248 < 1 / 100,000 Table 2 Identification and Authentication Policy (*)Available only when the CM uses TCG Single User Mode functionality. Per the security policy rules, the minimum PIN length is 6 bytes. Therefore the probability that a random attempt will succeed is 1/248 < 1,000,000. The CM waits 1msec when authentication attempt fails, so the maximum number of authentication attempts is 60,000 in 1 min. Therefore the probability that random attempts in 1min will succeed is 60,000 / 248 < 1 / 100,000. Section 2.1 – Services This section describes services which the CM provides. The CM supports the Single User Mode functionality defined in the Single User Mode feature set of TCG Opal. The LockingSP.Reactivate or LockingSP.Activate method could enable a single user mode. Authorized roles of some services differ when the CM is in single user mode. About such services, the Role(s) column in table3 is divided into two rows. The upper row shows authorized roles in non-single user mode (normal mode), and the lower row shows authorized roles against range X in single user mode. Service Description Role(s) Keys & RWX(Re Algorithm(CAVP Method CSPs Certification ad/Write/e Number) Xecute) Cryptographic Erase user data (in UM MEK(s) W Hash_DRBG(#334) ATA SECURITY Erase cryptographic means) UU RKey X SHA256(#2081) ERASE PREPARE + by changing the data PIN W AES256CTR(#2447) ATA SECURITY encryption key ERASE UNIT Data read/write Encryption / None MEK(s) X AES256CBC(#2448) ATA READ,WRITE (decrypt/encryp decryption of unlocked Commands t) user data to/from range Enable/Disable Enable/Disable CoLAx N/A N/A N/A TRUSTED SEND LockingSP LockingSP (TCG Set Method) Admin/User Admin/User Authority CoLAx for only Admins (To set for User is impossible) Host Send challenge data None Challenge W Hash_DRBG(#334) TRUSTED RECEIVE Authentication (optionally encrypted) (opt)COKEY X AES256CBC(#2447) (ADI GetRandomData) (Send of wipe challenge and RKey X CHALLENGE ) response authentication to a host device Jan 17, 2014 5 Service Description Role(s) Keys & RWX(Re Algorithm(CAVP Method CSPs Certification ad/Write/e Number) Xecute) Host Verify response data of None COKEY X/(opt)R AES256CBC(#2447) TRUSTED RECEIVE Authentication wipe challenge and Challenge R/(opt)X (opt)HMAC-SHA256( (ADI (Verify response #1511) SendAuthenticationDa RESPONSE) authentication to ta) authenticate a host device Random Provide a random None seed X Hash_DRBG(#334) TRUSTED RECEIVE Number number generated by SHA256(#2081) (ADI GetRandom) generation the CM TRUSTED SEND (TCG Random) Range Block or allow read CoLAx/ULUx N/A N/A N/A -TRUSTED SEND Lock/Unlock (decrypt) / write (LockingSP is (TCG Set Method) (encrypt) of user data Active) -ATA SECURITY in a range. Locking or UNLOCK also requires UU/UM (ATA read/write locking to Security is be enabled enable) CoLSUx Reset (run Runs POSTs and None N/A N/A N/A Power on reset POSTs) delete CSPs in RAM Set range Set the location and CoLAx N/A N/A N/A TRUSTED SEND position and size of the LBA range (TCG Set Method) size CoLAx or CoLSUx Set PIN Setting PIN All role for their PIN W SHA256(#2081) ・TRUSTED SEND (authentication data) PIN Hash_DRBG(#334) -TCG Set CoLAx for -TCG Reactivate CoLSUX’s pin - ADISetPin (reset) ・ SECURITY SET UM for UU’s pin PASSWORD (reset) SECURITY ・ DISABLE PASSWORD Set WIPE Enable/Disable Wipe CoWA N/A N/A N/A TRUSTED RECEIVE Mode related services (ADI Set Mode) Show Status Report status of the None N/A N/A N/A Read STATUS CM REGISTER (50/51h ) TCG Activate Activate LockingSP AdminSP.SID MEK(s)(excep W Hash_DRBG(#334) TRUSTED SEND t Global SHA256(#2081) (AdminSP.activate) Range) AES256CTR(#2447) RKey X PIN W Jan 17, 2014 6 Service Description Role(s) Keys & RWX(Re Algorithm(CAVP Method CSPs Certification ad/Write/e Number) Xecute) TCG Erase user data (in N/A MEK(s) W Hash_DRBG(#334) TRUSTED SEND Cryptographic cryptographic means) RKey X SHA256(#2081) (TCG Erase) Erase (Erase) in an LBA range by PIN W AES256CTR(#2447) changing the data CoLSUx encryption key. User CoLAx PIN is also reset. This method is available only in single user mode TCG Erase user data (in CoLAx MEK(s) W Hash_DRBG(#334) TRUSTED SEND Cryptographic cryptographic means) RKey X AES256CTR(#2447) (TCG GenKey) Erase (GenKey) in an LBA range by changing the data encryption key CoLSUx TCG Erase user data in all CoAA MEK(s) W Hash_DRBG(#334) TRUSTED SEND ( zeroization ranges by changing CoLAx RKey X SHA256(#2081) - LockingSP.RevertSP the data encryption AdminSP.PSID PIN W AES256CTR(#2447) - LockingSPObj.Revert key, initialize range (using PSID1) - AdminSPObj.Revert settings, and reset AdminSP.SID ) PINs for TCG (using SID) authorities. Wipe Erase user data in all CoWM RKey X AES256CTR(#2447) TRUSTED SEND Cryptographic ranges by changing MEK(s) W Hash_DRBG(#334) (ADI Invalidate) Erase the data encryption SHA256(#2081) key. Keep range information (PIN and range configuration) Zeroization Initialize the CM by CoWM RKey X,W AES256CTR(#2447) TRUSTED SEND zeroize a root key CoWA MEK(s) W SHA256(#2081) (ADI Exit) (RKey), all PINs, data COKEY W Hash_DRBG(#334) encryption keys, and PIN W range configuration Table 3 – FIPS Approved services Section 3 – Physical Security The CM has the following physical security: Production-grade components with standard passivation  Three tamper-evident security seals are applied to the CM in factory  One opaque and tamper-evident security seal (PCB SEAL) is applied to PCB of the CM.  This seal prevents an attacker to remove the PCB and survey electronic design Two tamper-evident security seals (TOP SEAL B and TOP SEAL C) are applied to top cover  of the CM. These seals prevent top cover removal Exterior of the drive is opaque  The tamper-evident security seals cannot be penetrated or removed and reapplied without  1 PSID (Printed SID) is public drive-unique value which is used for the TCG Revert AdminSP method. Jan 17, 2014 7 tamper-evidence PCB SEAL TOP SEAL B TOP SEAL C OVERVIEW OF TOP COVER The operator is required to inspect the CM periodically for one or more of the following tamper evidence. If the operator discovers tamper evidence, the CM should be removed. Checkerboard pattern on security seal or top plate  Text on security seals does not match original  A scratch on security seals covered screws  Security seal cutouts do not match original  Jan 17, 2014 8 Section 4 – Operational Environment Operational Environment requirements are not applicable because the CM operates in a “non-modifiable”, that is the CM cannot be modified and no code can be added or deleted. Section 5 – Key Management The CM uses keys and CSPs in the following table. Key/CSP Length(bit) Type Zeroize Method Establishment Output Persistence/Storage SHA digest/System Authority PINs(*) 256 PIN N/A(Hashed) Electronic input No Area Encrypted by COKEY 256*2 Symmetric N/A(Encrypted) Electronic input No RKey / System Area Challenge for Encrypted by Challenge 256 Power-Off RNG Yes authentication COKEY / RAM Encrypted by RKey MEKs 256 Symmetric N/A(Encrypted) RNG No / System Area Yes: Host MSID 256 Public value N/A(Public) Manufacturing Plain / System Area can retrieve RKey 256 Symmetric Zeroization service RNG No Plain / System Area Jan 17, 2014 9 Collected at every Seed 440 RNG seed Every time after used random number No Plain/RAM generation (*)PINs for User / Master / AdminSP.Admin1 / LockingSP.Admin1 – 4 / LockingSP.User1-User9 / WIPE Maker / WIPE Admin Note that there is no security-relevant audit feature and audit data. Section 6 – Self Tests The CM runs self-tests in the following table. Function Self-Test Type Abstract Firmware Integrity Check Power-On EDC 32-bit FW SHA256 Power-On Digest KAT FW HMAC SHA256 Power-On Digest KAT AES(AES CBC) Power-On Encrypt and Decrypt KAT FW AES(AES CBC) Power-On Encrypt and Decrypt KAT FW AES(AES CTR) Power-On Encrypt and Decrypt KAT FW Hash_DRBG Power-On DRBG KAT FW Hash_DRBG Conditional Verify newly generated random number not equal to previous one NRBG Conditional Verify newly generated random number not equal to previous one When the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error state. Section 7 – Design Assurance Refer to the guidance document provided with the CM. Section 8 – Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of FIPS 140-2 requirements. Jan 17, 2014 10